A method and system for transmitting a message in real time between users in a closed network of a vehicle (1), in particular a rail-mounted vehicle, are provided, wherein safety-relevant real-time data (D) of a message (N), including a transmitter id of a transmitter (3) within the closed network, is encrypted (S1) using a private key (KprivA) of the transmitter (3) in order to generate an encrypted message (N′); the encrypted message (N′), together with the unencrypted transmitter id of the transmitter (3), is transmitted (S2) from the transmitter (3) to a receiver (4) within the closed network via a vehicle bus (2), and the encrypted message (N′) is decrypted by the receiver (4) using a public key (KpublicA) of the transmitter (3) identified by the received, unencrypted transmitter id in order to retrieve the unencrypted message (N). The received transmitter id is compared with the transmitter id contained in the retrieved message (N) in order to determine whether the message (N) has been transmitted correctly.
|
25. In a closed network of a vehicle, a receiver connected to concurrently receive an unencrypted transmitter id and an encrypted message, which includes an encrypted transmitter id and safety-relevant real-time data, from a transmitter, the receiver comprising:
a memory configured to store a public key;
a decryption unit connected to the memory to obtain a public key that is selected based on the unencrypted transmitter id that was received by the receiver together with the encrypted message, the decryption unit configured to obtain a decrypted transmitter id by decrypting the encrypted message using the public key that was selected based on the unencrypted transmitter id that was received by the receiver together with the encrypted message; and
a comparison unit configured to compare the unencrypted transmitter id with the decrypted transmitter id obtained by decrypting the encrypted message in order to determine whether the message has been transmitted correctly.
24. A system for transmitting messages in real time between users in a closed network of a vehicle, the system comprising:
a vehicle bus;
at least one transmitter configured to encrypt safety-relevant real-time data of a message to be transmitted, including a transmitter id of said transmitter, using a private key of said transmitter in order to generate an encrypted message, said transmitter configured to transmit the encrypted message, which includes the safety-relevant real-time data and the transmitter id of said transmitter, together with an unencrypted transmitter id of said transmitter, on said vehicle bus; and
at least one receiver connected to said vehicle bus and configured to decrypt the encrypted message received through said vehicle bus using a public key of said transmitter identified by the received unencrypted transmitter id in order to decrypt the encrypted message and obtain a decrypted transmitter id;
said receiver configured to compare the decrypted transmitter id with the unencrypted transmitter id in order to determine whether the message has been transmitted correctly.
1. A method for transmitting a message in real time between users in a closed network of a vehicle, the method which comprises:
in an encryption unit, encrypting safety-relevant real-time data of a message and a transmitter id of a transmitter using a private key of the transmitter in order to generate an encrypted message;
transmitting the encrypted message, which includes the safety-relevant real-time data and the transmitter id, together with an unencrypted transmitter id of the transmitter which is in unencrypted form, from the transmitter to a receiver within the closed network via a vehicle bus;
in the receiver, receiving the encrypted message and the unencrypted transmitter id;
using the unencrypted transmitter id that was received by the receiver to obtain a public key of the transmitter;
in a decryption unit, decrypting the encrypted message received by the receiver using the public key of the transmitter to obtain the safety-relevant real-time data and a decrypted transmitter id; and
comparing the unencrypted transmitter id with the decrypted transmitter id in order to determine whether the message has been transmitted correctly.
2. The method according to
3. The method according to
4. The method according to
5. The method according to
6. The method according to
7. The method according to
8. The method according to
9. The method according to
10. The method according to
11. The method according to
12. The method according to
16. The method according to
17. The method according to
18. The method according to
19. The method according to
20. The method according to
21. The method according to
26. The receiver according to
27. The receiver according to
28. The receiver according to
29. The receiver according to
30. The receiver according to
31. The receiver according to
32. A non-transitory data medium for storing the computer program including computer code which, when loaded into a main memory of the computer, enables the computer to perform the method according to
|
The invention relates to a method and a device for enabling transmission between users in a closed network of a vehicle.
In data transmission in closed networks, in particular in the case of safety-relevant applications, it is imperative to avoid or exclude delays to data, transpositions of data, omissions of data, and data corruption. Furthermore, correct transmission of data to the right receiver must be ensured. Vehicles, in particular also rail-mounted vehicles, have a multiplicity of components or constituent parts, such as a brake controller, a drive controller, a sanitary facilities controller or an air conditioning system controller, which are connected via a vehicle bus to a server or a central controller. Each of these components or constituent parts sends and receives data. The components are interconnected via an Ethernet bus, for example. Particularly in safety-critical applications in real time, in the case of activation of the brakes of a train for example, the data that is transmitted via the vehicle bus must not be corrupted. Corruption of the data could lead to a train crash.
Conventional systems for transmitting messages in real time between users in a closed network of a vehicle offer merely applicatory security mechanisms such as e.g. CRC (Cyclic Redundancy Check) or other checksums for the transmitted telegrams or messages. In order to check whether a message has arrived uncorrupted, the receiver checks the received message by means of a checksum. However, this is problematic if a plurality of, and possibly also less trustworthy, communication partners are disposed in the communication path or have access to the network. In conventional systems it is not possible to prove in the event of data corruption whether said corruption was caused by an internal error or by a systematic error, the received message having been sent and possibly corrupted by other communication partners. Conventional systems do not offer adequate protection, in particular against deliberate hacker attacks.
The object of the invention is to provide a method and a device for transmitting a message in real time between users in a closed network of a vehicle, wherein corruption of the messages is prevented.
This object is achieved according to the invention by a method as claimed.
The invention provides a method for transmitting a message between users in a closed network of a vehicle, the method comprising the following steps of:
(a) encrypting safety-relevant real-time data of a message, including a transmitter ID of a transmitter within the closed network, using a private key of the transmitter in order to generate an encrypted message;
(b) transmitting the encrypted message, together with the unencrypted transmitter ID of the transmitter, from the transmitter to a receiver within the closed network via a vehicle bus;
(c) decrypting the encrypted message by the receiver using a public key of the transmitter identified by the received, unencrypted transmitter ID in order to retrieve the unencrypted message;
(d) and comparing the received transmitter ID with the transmitter ID contained in the retrieved message in order to determine whether the message has been transmitted correctly.
In an embodiment of the method according to the invention, the transmitter calculates a transmit checksum on the safety-relevant real-time data to be transmitted, including the transmitter ID of the transmitter.
In an embodiment of the method according to the invention, the transmitter encrypts the calculated transmit checksum using a private key of the transmitter in order to generate an encrypted checksum.
In an embodiment of the method according to the invention, the transmitter transmits the encrypted transmit checksum, together with the safety-relevant real-time data including the transmitter ID, to the receiver via the vehicle bus.
In an embodiment of the method according to the invention, the receiver decrypts the encrypted transmit checksum received via the vehicle bus using a public key of the transmitter identified by the received, unencrypted transmitter ID in order to determine a first receive checksum.
In an embodiment of the method according to the invention, the receiver calculates a second receive checksum on the received safety-relevant real-time data including the transmitter ID of the transmitter.
In an embodiment of the method according to the invention, the receiver recognizes a correct transmission of the safety-relevant data and of the transmitter ID if the first receive checksum is identical to the second receive checksum.
In an embodiment of the method according to the invention, the transmitter transmits the encrypted transmit checksum, together with the safety-relevant real-time data including the transmitter ID and together with the unencrypted transmit checksum, to the receiver via the vehicle bus.
In an embodiment of the method according to the invention, the receiver decrypts the encrypted transmit checksum received via the transmission channel using a public key of the transmitter identified by the received, unencrypted transmitter ID in order to determine a first receive checksum.
In an embodiment of the method according to the invention, the receiver receives the transmitted, unencrypted transmit checksum as a second receive checksum and compares this with the determined first receive checksum.
In an embodiment of the method according to the invention, the receiver recognizes a correct transmission of the safety-relevant data and of the transmitter ID if the first receive checksum matches the second receive checksum.
In an embodiment of the method according to the invention, the checksums are formed using a CRC (Cyclic Redundancy Check) method.
In a possible embodiment of the method according to the invention, the vehicle is formed by a rail-mounted vehicle.
In an embodiment of the method according to the invention, the transmitter is formed by a control unit within the vehicle.
In a further embodiment of the method according to the invention, the receiver is formed by a central control unit within the vehicle.
In a further embodiment of the method according to the invention, a plurality of control units are connected to the central control unit via a common vehicle bus.
In an embodiment of the method according to the invention, the control unit is formed by a brake controller, a drive controller, a sanitary facilities controller or an air conditioning system controller.
In an embodiment of the method according to the invention, the real-time data output by the control units has different priority levels.
In an embodiment of the method according to the invention, a key length of a key for encrypting the real-time data is set as a function of the respective priority level of the real-time data.
In an embodiment of the method according to the invention, the real-time data having a high priority level and having a short permitted response time is encrypted using a key of short key length in order to minimize the time required for encryption and decryption.
In this embodiment the key length (L) is ≦128 bits.
In a further embodiment the key length (L) is ≦56 bits.
The invention further provides a system for transmitting messages in real time between users in a closed network of a vehicle having the features disclosed in claim 24.
The invention provides a system for transmitting messages in real time between users in a closed network of a vehicle, the system comprising:
(a) at least one transmitter which encrypts the safety-relevant real-time data of a message to be transmitted, including a transmitter ID of the transmitter, using a private key of the transmitter in order to generate an encrypted message;
(b) a vehicle bus for transmitting the encrypted message together with the unencrypted transmitter ID of the transmitter;
(c) and having at least one receiver which decrypts the received encrypted message using a public key of the transmitter identified by the received unencrypted transmitter ID in order to retrieve the unencrypted message and which compares the received transmitter ID with the transmitter ID contained in the retrieved message in order to determine whether the message has been transmitted correctly.
The invention further provides a transmitter within a closed network of a vehicle having the features disclosed in claim 25.
The invention provides a transmitter within a closed network of a vehicle, which transmitter, in order to transmit a message securely, encrypts safety-relevant real-time data of the message, including a transmitter ID of the transmitter, using a private key of the transmitter in order to generate an encrypted message and transmits the encrypted message, together with the unencrypted transmitter ID of the transmitter, to a receiver via a vehicle bus.
In an embodiment of the transmitter according to the invention, the transmitter calculates a transmit checksum for the safety-relevant real-time data to be transmitted, including the transmitter ID of the transmitter.
In an embodiment of the transmitter according to the invention, the transmitter encrypts the calculated transmit checksum using a private key of the transmitter in order to generate an encrypted transmit checksum.
In an embodiment of the transmitter according to the invention, the transmitter transmits the encrypted transmit checksum to the receiver via the vehicle bus.
In an embodiment of the transmitter according to the invention, the transmitter transmits the encrypted transmit checksum, together with the safety-relevant real-time data and together with the unencrypted transmit checksum, to the receiver via the vehicle bus.
The invention further provides a receiver within a closed network of a vehicle, which receiver, in order to retrieve the unencrypted message, decrypts a received, encrypted message using a public key that is identified by an unencrypted transmitter ID received together with the encrypted message, and compares the received transmitter ID with the transmitter ID contained in the retrieved message in order to determine whether the message has been transmitted correctly.
In an embodiment of the receiver according to the invention, the receiver decrypts the encrypted transmit checksum received via the vehicle bus using a public key of the transmitter identified by the received unencrypted transmitter ID in order to determine a first receive checksum.
In an embodiment of the receiver according to the invention, the receiver calculates a second receive checksum on the received safety-relevant real-time data including the transmitter ID of the transmitter.
In an embodiment of the receiver according to the invention, the receiver recognizes a correct transmission of the safety-relevant real-time data and of the transmitter ID if the first receive checksum is identical to the second receive checksum.
In an embodiment of the receiver according to the invention, the receiver decrypts the encrypted transmit checksum received via the vehicle bus using a public key of the transmitter identified by the received, unencrypted transmitter ID in order to determine a first receive checksum.
In an embodiment of the receiver according to the invention, the receiver receives the transmitted, unencrypted transmit checksum as a second receive checksum and compares it with the determined first receive checksum.
In an embodiment of the receiver according to the invention, the receiver recognizes a correct transmission of the safety-relevant real-time data and of the transmitter ID if the first receive checksum matches the second receive checksum.
The invention further provides a computer program for performing a method for transmitting a message in real time between users in a closed network of a vehicle, comprising the following steps of:
(a) encrypting safety-relevant real-time data of a message, including a transmitter ID of a transmitter within the closed network, using a private key of the transmitter in order to generate an encrypted message;
(b) transmitting the encrypted message, together with the unencrypted transmitter ID of the transmitter, from the transmitter to a receiver within the closed network via a vehicle bus;
(c) decrypting the encrypted message by the receiver using a public key of the transmitter identified by the received unencrypted transmitter ID in order to retrieve the unencrypted message;
(d) comparing the received transmitter ID with the transmitter ID contained in the retrieved message in order to determine whether the message has been transmitted correctly.
The invention further provides a data medium for storing a computer program of said type.
Preferred embodiments of the method and system according to the invention will be described hereinafter with reference to the schematic drawing, attached for the purpose of explaining features essential to the invention and in which:
As can be seen from
In step S2, the encrypted message N′ together with an unencrypted transmitter ID A-ID of the transmitter 3 is then transmitted from the transmitter 3 to the receiver 4 within the closed network via the vehicle bus 2.
In a further step S3, the received encrypted message N′ is decrypted by the receiver 4 using a public key (Kpublic) of the transmitter 3 identified by the received, unencrypted transmitter ID in order to retrieve the unencrypted message N.
In a further step S4, the receiver 4 compares the received transmitter ID A-ID with the transmitter ID contained in the retrieved message N in order to determine whether the message has been transmitted correctly or not.
The receiver 4 decrypts the encrypted message N′ received via the vehicle bus 2 using a public key (KpublicA) which is identified by the received, unencrypted transmitter ID A-ID. The received, unencrypted transmitter ID addresses a memory cell or a memory area in a memory 4A of the receiver 4 for reading the associated public key KpublicA. A decryption unit 4B of the receiver 4 decrypts the received, encrypted message N′ with the aid of the read public key KpublicA in order to retrieve the unencrypted message N and in order to retrieve the transmitter ID A-ID contained in the encrypted message N′. Said retrieved transmitter ID A-ID′ is compared with the unencrypted, transmitted transmitter ID A-ID by a comparison unit 4C within the receiver 4 in order to determine whether the message has been transmitted correctly or not. If the transmitter ID A-ID transmitted unencrypted is different from the transmitter ID A-ID′ retrieved from the decrypted message N′, an error has occurred during transmission of the message. In this case error handling is initiated.
In a first embodiment of the method according to the invention, the transmitter 3 calculates a transmit checksum C on the safety-relevant real-time data D including the transmitter ID of the transmitter 3. The encryption unit 3B of the transmitter 3 encrypts the calculated transmit checksum C using the read private key KprivA of the transmitter 3 in order to generate an encrypted checksum C′. Said encrypted transmit checksum C′ is transmitted from the transmitter 3, together with the safety-relevant real-time data D including the transmitter ID A-ID of the transmitter 3, to the receiver 4 via the vehicle bus 2. The decryption unit 4B of the receiver 4 decrypts the encrypted transmit checksum C′ received via the vehicle bus 2 using the public key KpublicA, read from the memory 4A, of the transmitter 3 identified by the received, unencrypted transmitter ID in order to determine a first receive checksum C1. In addition the receiver 4 calculates a second receive checksum C2 on the received, safety-relevant real-time data D and the decrypted message, including the transmitter ID of the transmitter 3. The first receive checksum C1 and the second receive checksum C2 are then compared. The receiver 4 recognizes a correct transmission of the safety-relevant data D and of the transmitter ID if the first receive checksum C1 is identical to the second receive checksum C2.
In a second alternative embodiment of the method according to the invention, the transmitter 3 transmits the encrypted transmit checksum C′, together with the safety-relevant real-time data D including the transmitter ID and together with the unencrypted transmit checksum C, to the receiver 4 via the vehicle bus 2. The decryption unit 4B within the receiver 4 decrypts the encrypted transmit checksum C′ received via the vehicle bus 2 using the read public key KpublicA of the transmitter 3 identified by the received, unencrypted transmitter ID A-ID in order to determine a first receive checksum C1. The receiver 4 receives the transmitted, unencrypted transmit checksum C as a second receive checksum C2 and compares this with the determined first receive checksum C1. The receiver 4 recognizes a correct transmission of the safety-relevant data and of the transmitter ID if the first receive checksum C1 matches the second receive checksum C2.
In a possible embodiment of the method according to the invention, the checksums are formed using a CRC (Cyclic Redundancy Check) method. The method according to the invention uses an asymmetric encryption method as proof of security or as proof of a correct transmission of a message. In this case proof of the correctness of the data D of the transmitter 3 and therefore an applicatory security mechanism is thus possible. For this purpose each communications user connected to the vehicle bus 2 receives a public and a private secret key. The safety-relevant data part of the message or telegram, including the transmitter ID of the transmitter 3, is encrypted using the private key Kpriv of the transmitter 3 and transmitted as a message, together with the unencrypted information identifying the transmitter. The receiver 4 can then decrypt the message of the transmitter 3 using the public key Kpublic of the transmitter 3. By means of the method according to the invention it is possible to identify data corruption on the communication path, as well as an attempt at falsely masquerading as the transmitter 3. The transmitted data is protected by means of the method according to the invention not only against technical corruptions, but also against deliberate hacker attacks.
The method according to the invention enables communication between an arbitrary number of users and is therefore suitable for communication in closed networks that also have a relatively high number of components communicating with one another.
In a possible embodiment of the method according to the invention, the real-time data D output by the components or control units has different priority levels. For example, real-time data for the brake controller has a higher priority than real-time data for the sanitary facilities controller. Since only a very short delay time may occur in the case of particularly safety-critical real-time data, in an embodiment of the method according to the invention the key length L of a key K for encrypting the real-time data D is set as a function of the respective priority level of the real-time data D. The shorter the key length L, the quicker real-time data can be encrypted and then decrypted. Nevertheless, keys with a relatively short key length L of, for example, less than 56 bits, also still offer sufficient protection against manipulation attempts by third parties. Since only very short delay times are allowed to occur in the case of safety-critical real-time data D, real-time data having a very high priority level, i.e. particularly safety-critical and time-critical real-time data, is therefore encrypted using a key K having a short key length L, while other data having a lower priority level is encrypted using a key K having a longer key length L. Real-time data D having a high priority level and having a shorter permitted response time is therefore encrypted using a key K having a short key length, for example having a key length L of less than 128 bits, in order to minimize the time required for encryption and decryption.
In a possible embodiment, real-time data D having a high priority level and a short permitted response time is encrypted using a key K that has a key length L of less than 56 bits.
The transmitted real-time data D may be any real-time data, for example sensor data generated by sensors or control data transmitted by a controller.
The vehicle 1 is, for example, a rail-mounted vehicle such as a train. However, the vehicle 1 may also be another vehicle that has an internal closed network, for example an aircraft, ship or motor vehicle.
Porsch, Roland, Rothbauer, Stefan
Patent | Priority | Assignee | Title |
9576137, | Mar 06 2012 | CONTINENTAL TEVES AG & CO OHG; Conti Temic Microelectronic GmbH | Method and system for analyzing integrity of encrypted data in electronic control system for motor vehicle |
9900388, | Jan 29 2014 | Hyundai Motor Company | Data transmission method and data reception method between controllers in vehicle network |
Patent | Priority | Assignee | Title |
5600725, | Aug 17 1993 | Certicom Corp | Digital signature method and key agreement method |
5951619, | Mar 27 1997 | Siemens Aktiengesellschaft | Method and device for controlling an actuator |
6275165, | Mar 19 1998 | Westinghouse Air Brake Company | A.A.R. compliant electronic braking system |
6487646, | Feb 29 2000 | Seagate Technology LLC | Apparatus and method capable of restricting access to a data storage device |
6959086, | Sep 16 1997 | SafeNet, Inc. | Cryptographic key management scheme |
8098823, | May 03 2005 | NTT DOCOMO INC | Multi-key cryptographically generated address |
20030188180, | |||
20040228478, | |||
20040260778, | |||
20050033701, | |||
20050289347, | |||
20060093144, | |||
20060174129, | |||
20070092075, | |||
20070113071, | |||
20070274525, | |||
20070277042, | |||
CN1949250, | |||
DE10141737, | |||
EP639907, | |||
GB2293737, | |||
RU2005132990, | |||
WO2004032416, | |||
WO2007027241, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Feb 20 2009 | Siemens Aktiengesellschaft | (assignment on the face of the patent) | / | |||
Sep 03 2010 | PORSCH, ROLAND | Siemens Aktiengesellschaft | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027980 | /0248 | |
Oct 21 2010 | ROTHBAUER, STEFAN | Siemens Aktiengesellschaft | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027980 | /0248 |
Date | Maintenance Fee Events |
Oct 11 2013 | ASPN: Payor Number Assigned. |
Apr 06 2017 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Jun 28 2021 | REM: Maintenance Fee Reminder Mailed. |
Dec 13 2021 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Nov 05 2016 | 4 years fee payment window open |
May 05 2017 | 6 months grace period start (w surcharge) |
Nov 05 2017 | patent expiry (for year 4) |
Nov 05 2019 | 2 years to revive unintentionally abandoned end. (for year 4) |
Nov 05 2020 | 8 years fee payment window open |
May 05 2021 | 6 months grace period start (w surcharge) |
Nov 05 2021 | patent expiry (for year 8) |
Nov 05 2023 | 2 years to revive unintentionally abandoned end. (for year 8) |
Nov 05 2024 | 12 years fee payment window open |
May 05 2025 | 6 months grace period start (w surcharge) |
Nov 05 2025 | patent expiry (for year 12) |
Nov 05 2027 | 2 years to revive unintentionally abandoned end. (for year 12) |